Implement License Scanning SBOM scanner
Why are we doing this work
To achieve License Scanning using License DB and SBOM comp... (&9400 - closed), we need to implement a License Scanning SBOM Scanner that inherits LicenseScanning::BaseScanner, and that returns licenses of project dependencies using the SBOM reports.
NOTE: The SBOM Scanner is behind a feature flag. See Feature flag to enable License Scanning SBOM sc... (#384935 - closed)
Further details
The SbomScanner class has been introduced in !105747 (merged) but its methods haven't been implemented.
The SBOM scanner responds to report, has_data?, and data_available?. See #384934 (closed)
#report should do the following:
- Fetch projet dependencies for the given project or pipeline using SBOM component fetchers.
- TBD: Normalize component names, unless the SBOM component fetchers already do it. See #384932 (comment 1230139272)
- Get the licenses of package versions using another fetcher.
- Build and return a
Ci::Reports::LicenseScanning::Report.
The SBOM scanner works even when the SBOM reports don't contain normalized component names. For instance, it should return the correct licenses for a component whose PURL is pkg:pypi/djanGO. (Canonical name is Django, and normalized name is django.)
#has_data? and #data_available? should behave as documented in
!105533 (merged):
| method | description |
|---|---|
#has_data? |
Evaluates if the scanner had license scanning data. In terms of the artifact scanner, it will evaluate to true if there was a job that returns a license_scanning report. For the SBoM scanner, this may materialize as having SBoM generator jobs. |
#data_available? |
Evaluates if the scanner has completed "scanning". In terms of artifact scanning, this is determined if the pipeline with the license scanning report has a status of success. |
PipelineComponents needs to be updated to return a name that can't be directly compared to pm_packages.name. It's normalized, and it includes the namespace (npm) or group ID (Maven). Code: #{component.purl.namespace}/#{component.purl.name} See #384932 (comment 1243704431)
Relevant links
- Existing skeleton: https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/lib/gitlab/license_scanning/sbom_scanner.rb
- Definition of the Scanner interface: #384934 (closed)
- Implementation of SBOM fetchers: #384536 (closed)
- Implementation of licenses fetcher: #384888 (closed)
Non-functional requirements
-
Documentation: #388439 (closed) -
Feature flag: TBD -
Performance: toggle feature flag and compare response time (SBOM Scanner vs Artifact Scanner) -
Testing: implement specs in https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/spec/lib/gitlab/license_scanning/sbom_scanner_spec.rb
Implementation plan
-
Update PipelineComponentsto return full normalized names. See #384932 (comment 1243704431) -
Implement the SbomScanner, and update its specs. -
Add a new license_scanning_sbom_scannerfeature flag.-
Change Gitlab::LicenseScanning.scanner_class to use SbomScannerinstead ofArtifactScannerwhen thelicense_scanning_sbom_scanneris enabled.
-
Verification steps
Check license_scanning_sbom_scanner feature flag. Enable license_scanning_sbom_scanner feature flag in a project where Dependency Scanning is used to generate SBOMs:
- Set up a project supported by Dependency Scanning and License DB.
- Enable feature flag for that project. See #384935 (closed)
- Add Dependency Scanning to the CI config, and add dependencies to project.
- Check licenses in
License Compliancepage. - Check other features that have already been refactored as part of &8532 (closed).
Non-regression test
- Go to a projet where License Scanning has been configured, and that has License Scanning artifacts.
- Use any License Scanning feature that's been refactored as part of Use License Scanning service (&8532 - closed).
- Make sure that there's no regression.
The verification tests are blocked by Feature flag to enable License Scanning SBOM sc... (#384935 - closed).
Also, check whether Licenses do not show up in Dependency List for ... (#333839 - closed) is fixed when enabling license_scanning_sbom_scanner. See !109447 (comment 1263301787)